Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02ZjU4LWozMjMtNjQ3Ms4AA21F
pimcore/admin-ui-classic-bundle Unverified Password Change
Impact
As old password can be set as new password , it is considered as password policy violation.
Pimcore is not enforcing strict password policy which allow attacker to set old password as new password
Proof of Concept
- Go to Admin link
- login and click on -> "User | My Profile".
- Go to change password now put old password as new password and click save.
Patches
Workarounds
Update to version 1.2.0 or apply this patches manually
https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch
References
https://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021/
Permalink: https://github.com/advisories/GHSA-6f58-j323-6472JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02ZjU4LWozMjMtNjQ3Ms4AA21F
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 4.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00085
EPSS Percentile: 0.3753
Identifiers: GHSA-6f58-j323-6472, CVE-2023-5844
References:
- https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-6f58-j323-6472
- https://nvd.nist.gov/vuln/detail/CVE-2023-5844
- https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea
- https://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021
- https://github.com/advisories/GHSA-6f58-j323-6472
Blast Radius: 3.6
Affected Packages
packagist:pimcore/admin-ui-classic-bundle
Dependent packages: 28Dependent repositories: 7
Downloads: 566,739 total
Affected Version Ranges: < 1.2.0
Fixed in: 1.2.0
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4
All unaffected versions: 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.7.0, 1.7.1, 1.7.2, 1.7.3